Application URI Configuration Changes

calendar Oct 23, 2025 · attack.initial-access attack.defense-evasion attack.t1528 attack.t1078.004 attack.persistence attack.credential-access attack.privilege-escalation  ·
Share on: linkedin copy

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Sigma rule (View on GitHub)

 1title: Application URI Configuration Changes
 2id: 0055ad1f-be85-4798-83cf-a6da17c993b3
 3status: test
 4description: |
 5    Detects when a configuration change is made to an applications URI.
 6    URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.    
 7references:
 8    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes
 9author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
10date: 2022-06-02
11tags:
12    - attack.initial-access
13    - attack.defense-evasion
14    - attack.t1528
15    - attack.t1078.004
16    - attack.persistence
17    - attack.credential-access
18    - attack.privilege-escalation
19logsource:
20    product: azure
21    service: auditlogs
22detection:
23    selection:
24        properties.message: Update Application Sucess- Property Name AppAddress
25    condition: selection
26falsepositives:
27    - When and administrator is making legitimate URI configuration changes to an application. This should be a planned event.
28level: high

References

Related rules

to-top